Drew Morris asked, and Christian Warden answered:
Exim configuration for SMTP AUTH against dbmail database is pretty straight forward.
begin authenticators
plain:
driver = plaintext public_name = PLAIN server_condition = ${lookup mysql{SELECT user_idnr FROM users WHERE userid = '${quote_mysql:$2}' AND passwd = '${quote_mysql:$3}'}{1}fail} server_set_id = $2 server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
login:
driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = ${lookup mysql{SELECT user_idnr FROM users WHERE userid = '${quote_mysql:$1}' AND passwd = '${quote_mysql:$2}'}{1}fail} server_set_id = $1 server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
cram_md5:
driver = cram_md5 public_name = CRAM-MD5 server_secret = ${lookup mysql{SELECT passwd FROM users WHERE userid = '${quote_mysql:$1}'}{$value}fail} server_set_id = $1
spa:
driver = spa public_name = NTLM server_password = ${lookup mysql{SELECT passwd FROM users WHERE userid = '${quote_mysql:$1}'}{$value}fail}
(0000435) aaron 11-Dec-04 01:07
Blake Mitchell said:
We had to rebuild postfix to use SASL then from main.cf:
…. # SMTP SERVER CONTROLS
# The smtpd_sasl_auth_enable parameter controls whether SMTP client # authentication is enabled in the Postfix SMTP server. By default, # the Postfix SMTP server does not use authentication. # # If an SMTP client is authenticated, then the permit_sasl_authenticated # access restriction can be used to permit relay access, like this: # # smtpd_recipient_restrictions = permit_sasl_authenticated, … # # To reject all SMTP connections from unauthenticated clients, # specify smtpd_delay_reject=yes (which is the default) and use: # # smtpd_client_restrictions = permit_sasl_authenticated
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
# # In order to enable server-side authentication, build Postfix with # SASL support, and install a configuration file /usr/lib/sasl/smtpd.conf # (SASL version 1) or /usr/lib/sasl2/smtpd.conf (SASL version 2) with # as contents, for example, # # pwcheck_method: sasldb # # or whatever method is suitable for your environment: PAM, shadow, # etc. If you use sasldb, you can add users with the “saslpasswd” # command that comes with the SASL library. If you configure Postfix # to use PAM, the PAM service name for SASL authentication is “smtp”, # and adding users depends entirely on how PAM is set up. # # If you run your SMTP server chrooted, then you need to copy PAM # and/or SASL support libraries and data files into the chroot jail. # That's a lot of files, and it seems not very practical to do so. # smtpd_sasl_auth_enable = yes #smtpd_sasl_auth_enable = no
# The smtpd_sasl_security_options parameter controls what authentication # mechanisms the Postfix SMTP server will offer to the client. The # list of available authentication mechanisms is system dependent. # # Specify zero or more of the following: # # noplaintext: disallow methods that use plaintext passwords # noactive: disallow methods subject to active (non-dictionary) attack # nodictionary: disallow methods subject to passive (dictionary) attack # noanonymous: disallow methods that allow anonymous authentication # # An additional option is available in SASL version 2: # # mutual_auth: only allow methods that provide mutual authentication # # By default, the Postfix SMTP server accepts plaintext passwords but # not anonymous logins. # # HORROR! It appears that clients try authentication methods in the # order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) # which means that if you disable plaintext passwords, clients will # log in anonymously, even when they should be able to use CRAM-MD5. # So, if you disable plaintext logins, disable anonymous logins too. # Postfix treats anonymous login as no authentication. # #smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_security_options = noanonymous
# The smtpd_sasl_local_domain parameter specifies the name of the # local authentication realm. # # By default, the local authentication realm name is the name of the # machine. # #smtpd_sasl_local_domain = $mydomain smtpd_sasl_local_domain = $myhostname ….
blake@sls-cd7p8:~$ cat /usr/lib/sasl/smtpd.conf pwcheck_method:PAM
blake@sls-cd7p8:~$ cat /etc/pam.d/smtp #%PAM-1.0 auth required /lib/security/pam_mysql.so user=root db=dbmail table=dbmail_users usercolumn=userid passwdcolumn=passwd account required /lib/security/pam_mysql.so user=root db=dbmail table=dbmail_users usercolumn=userid passwdcolumn=passwd
This is on RedHat 7.3.
(0000436) aaron 11-Dec-04 01:08
Wolfram Kraushaar said:
For SMTP-Auth with Postfix 2.1.5 and cyrus-sasl 2.1.20 and a DBMail MySQL-Backend I use the following settings:
prerequisites: - Cyrus-SASL was built with support for MySQL and PostgreSQL - Postfix was built with support for Cyrus-SASL, MySQL and PostgreSQL
In Postfix's main.cf:
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = reject_unknown_sender_domain,reject_non_fqdn_sender, permit_sasl_authenticated,reject_unauth_destination
In Cyrus-SASL's /usr/local/lib/sasl2/smtpd.conf
pwcheck_method: auxprop auxprop_plugin: sql mech_list: login plain cram-md5 digest-md5 sql_engine: mysql sql_hostnames: <dbmail-dbhost> sql_user: <dbmail-dbuser> sql_passwd: <dbmail-dbpass> sql_database: <dbmail-dbname> sql_select: select passwd from dbmail_users where userid = '%u' AND userid != '__@!internal_delivery_user!@__' AND userid != 'anyone' AND userid != '__public__' AND passwd IS NOT NULL AND passwd != ''
As a sidenote: You can not use encryption for the dbmail user-passwords in the database if you want cyrus-sasl to use the dbmail-database as authentication backend.
(0000775) cwarden 17-Jul-05 19:19
The spa authenticator for Exim was missing a line. It should be:
spa:
driver = spa public_name = NTLM server_set_id = $1 server_password = ${lookup mysql{SELECT passwd FROM users WHERE userid = '${quote_mysql:$1}'}{$value}fail}